GHSA-G3VV-G2J5-45F2
Vulnerability from github – Published: 2022-04-08 22:08 – Updated: 2026-01-23 22:34
VLAI?
Summary
ipld/go-codec-dagpb panics when processing certain blocks
Details
Impact
Decoding certain blocks using the go-ipld-prime version of the dag-pb codec (go-codec-dagpb) can cause a panic. The panic comes from an assumption that the reported link length is accurate, but if the block ends before that reported length then it’s a buffer overread.
Patches
The issue is fixed in v1.3.1 and above.
Consumers can discover the versions of go-codec-dagpb in a module's dependency graph using the following command in the module root:
go mod graph | grep go-codec-dagpb
Workarounds
You can work around this issue without upgrading by recovering panics higher in the call stack of the goroutine that calls the defective code.
For more information
If you have any questions or comments about this advisory:
- Ask in IPFS Discord #ipld-chatter
- Open an issue in go-codec-dagpb
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ipld/go-codec-dagpb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2584"
],
"database_specific": {
"cwe_ids": [
"CWE-119"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-08T22:08:45Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact \nDecoding certain blocks using the go-ipld-prime version of the dag-pb codec (go-codec-dagpb) can cause a panic. The panic comes from an assumption that the reported link length is accurate, but if the block ends before that reported length then it\u2019s a buffer overread.\n\n### Patches\nThe issue is fixed in v1.3.1 and above.\n\nConsumers can discover the versions of `go-codec-dagpb` in a module\u0027s dependency graph using the following command in the module root:\n\n```go mod graph | grep go-codec-dagpb```\n\n### Workarounds\nYou can work around this issue without upgrading by recovering panics higher in the call stack of the goroutine that calls the defective code.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Ask in [IPFS Discord #ipld-chatter](https://discord.gg/ipfs)\n* Open an issue in [go-codec-dagpb](https://github.com/ipld/go-codec-dagpb)",
"id": "GHSA-g3vv-g2j5-45f2",
"modified": "2026-01-23T22:34:06Z",
"published": "2022-04-08T22:08:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ipld/go-codec-dagpb/security/advisories/GHSA-g3vv-g2j5-45f2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2584"
},
{
"type": "WEB",
"url": "https://github.com/ipld/go-codec-dagpb/commit/a17ace35cc760a2698645c09868f9050fa219f57"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0422"
},
{
"type": "PACKAGE",
"url": "github.com/ipld/go-codec-dagpb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ipld/go-codec-dagpb panics when processing certain blocks"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…